it is almost every time after I restart computer, when the wfc in the taskbar but i double click the icon there is no response , and if there are new program need to connect to the Internet ,there is no notice bar to show in the right down area.

sometimes i use the process explorer to end the wfc.exe and reopen wfc , it works , and sometimes still not work..

i want to now why , this question happens very frequent in many win10 inside versions and many wfc version . while i can only remember that last year , this status never exist , but since 2016， it came up.

it is almost every time after I restart computer, when the wfc in the taskbar but i double click the icon there is no response , and if there are new program need to connect to the Internet ,there is no notice bar to show in the right down area.

sometimes i use the process explorer to end the wfc.exe and reopen wfc , it works , and sometimes still not work..

i want to now why , this question happens very frequent in many win10 inside versions and many wfc version . while i can only remember that last year , this status never exist , but since 2016， it came up.

Alexandru, you know I report a problem with empty Connections Log. I thought, this was a one time problem only but unfortunately, it's not the case.

I have now more details about this behaviour:

1) I have this problem NOT with "Inbound" Log "Recently Allowed/Blocked connections" and

2) I have this problem NOT with "Outbound" Log "Recently Allowed connections"

3) I HAVE this problem with "Outbound" Log "Recently Blocked connections"

I see the following effect:

I have only few entries (maybe 10 or so) in the log and then - even at the same day - the log is cleared! Then few entries again and log is empty again and so far ...

So for me it seems a problem with the log size (limit) through WFC.

MAYBE this could be related to my NON english localized system (you know we have other signs and so (if you have in english localized Win a "," we could have a "." or vice versa.

Can you check this please?

Regards!

Alpengreis

EDIT:

PS: The protocol size from windows (%SystemRoot%\System32\Winevt\Logs\Security.evtx) is 20480 KB by the way, maybe WFC has a problem with defined limit for outgoing blocked size-/time only or so ...

Click to expand...

Please take a look at the screenshot below. My log size is 200MB, so the size is not a problem. Indeed, it took almost 4 minutes to process this log file on a i5 CPU with 8 cores. I have entries from the past 4 days, but depending on the Internet usage, all these 200MB can contains the entries only from the past few hours. For a log size of 20MB, depending on the Internet usage, the entries can be only from the past minutes.

1. When you say that Connections Log has a problem with the outbound blocked connections, check in the Security log if you have entries with Event ID 5157 and the Direction set to Outbound (%%14593). If you don't have such entries, then Connections Log has not found anything to match these. If you have such entries but Connections Log fails to read and display them, please check the WFC log for event ID 323. If no such event id is logged by WFC it means that the processing did not encounter any problem.
2. Try to disable the logging for allowed connections from Connections Log and check if the behavior changes.

WSH also protects services by using rules similar to those used by Windows Firewall. These rules are called service restriction rules, and they are built into Windows and can specify things such as which ports the service should listen on or which ports the service should send data over. An example of a built-in WSH rule might be "The DNS client service should send data only over port UDP/53 and should never listen on any port." These rules add additional protection to network services because network objects, such as ports, do not support ACLs.

Click to expand...

The reason I want to overide these rules is that some services on windows wont allow direct DNS queries because WSH blocks them, it seems anything running in a appcontainer (modern apps) and some services will fail to do dns lookups unless dnsclient service is enabled and these internal wsh rules are the reason.

Please take a look at the screenshot below. My log size is 200MB, so the size is not a problem. Indeed, it took almost 4 minutes to process this log file on a i5 CPU with 8 cores. I have entries from the past 4 days, but depending on the Internet usage, all these 200MB can contains the entries only from the past few hours. For a log size of 20MB, depending on the Internet usage, the entries can be only from the past minutes.

1. When you say that Connections Log has a problem with the outbound blocked connections, check in the Security log if you have entries with Event ID 5157 and the Direction set to Outbound (%%14593). If you don't have such entries, then Connections Log has not found anything to match these. If you have such entries but Connections Log fails to read and display them, please check the WFC log for event ID 323. If no such event id is logged by WFC it means that the processing did not encounter any problem.
2. Try to disable the logging for allowed connections from Connections Log and check if the behavior changes.

PS: I think 20480 (20 MB) is too low (I had not checked this right). So this value is reached too quick and then the oldest entries are overwritten too fast (I have MUCH allow entries). I test now with higher value as first measure ...

EDIT: The test is sucessfull till now - it SEEMS it's solved. Thanks again, Alexandru! My main mistake was that I thought with splitted logs, especially because I have created individual logs! Of course the real security log is ONE log with one defined size! My second mistake was that I took 20480 KB for 200 MB, uhhhh, that was bad ;-) In reality I had only 20 MB which was really too low.

BTW: could you not set this value higher while install? For example with a registry check "if the value is < 204800 set it to 204800" or at least "if the value is default 20480 set it to 204800" or you could make an option in WFC to set the size? Just an idea, but could be sensfully, because 20 MB default is really not enough.

The reason I want to overide these rules is that some services on windows wont allow direct DNS queries because WSH blocks them, it seems anything running in a appcontainer (modern apps) and some services will fail to do dns lookups unless dnsclient service is enabled and these internal wsh rules are the reason.

Click to expand...

It is possible to add support to view and modify these rules through Windows Firewall API but I will not implement it. There is a reason why these are not easily accessible to the users and my opinion is that the users should not change the default rules that are applied to Windows services.

PS: I think 20480 (20 MB) is too low (I had not checked this right). So this value is reached too quick and then the oldest entries are overwritten too fast (I have MUCH allow entries). I test now with higher value as first measure ...

EDIT: The test is sucessfull till now - it SEEMS it's solved. Thanks again, Alexandru! My main mistake was that I thought with splitted logs, especially because I have created individual logs! Of course the real security log is ONE log with one defined size! My second mistake was that I took 20480 KB for 200 MB, uhhhh, that was bad ;-) In reality I had only 20 MB which was really too low.

BTW: could you not set this value higher while install? For example with a registry check "if the value is < 204800 set it to 204800" or at least "if the value is default 20480 set it to 204800" or you could make an option in WFC to set the size? Just an idea, but could be sensfully, because 20 MB default is really not enough.

Click to expand...

I will see if I can add support in Connections Log to set the log size. I do not want to increase the log size automatically at installation because this is not always required. Note that increasing the log size will also increase the waiting time when processing the Security event log.

Here’s a compatibility issue that looked like it was involving WFC, but really wasn’t so I thought it would be good to share here in case it comes up…

I went to download EMET 5.51 today – it would not download. I eventually had a look at WFC connection log & my browsers were being blocked outbound when I clicked on the download. So I put WFC in ‘Low Filtering’ to allow all outbound traffic, but all browsers were still blocked when I clicked on the download (and still showing up in the WFC log). I had to exit WFC & stop the service to get the download to work.

But, I was replacing MBAE-free with EMET & had not uninstalled MBAE yet. Once I uninstalled MBAE I tested the download again & there were no issues – no blocked browsers. So it was just MBAE causing the problem, but it sure looked like it was WFC – all good now

Here’s a compatibility issue that looked like it was involving WFC, but really wasn’t so I thought it would be good to share here in case it comes up…

I went to download EMET 5.51 today – it would not download. I eventually had a look at WFC connection log & my browsers were being blocked outbound when I clicked on the download. So I put WFC in ‘Low Filtering’ to allow all outbound traffic, but all browsers were still blocked when I clicked on the download (and still showing up in the WFC log). I had to exit WFC & stop the service to get the download to work.

But, I was replacing MBAE-free with EMET & had not uninstalled MBAE yet. Once I uninstalled MBAE I tested the download again & there were no issues – no blocked browsers. So it was just MBAE causing the problem, but it sure looked like it was WFC – all good now

Click to expand...

The Security log (Connections Log) contains all connections blocked by Windows Firewall or by other security products. Since WFC does not block or allow anything, the source of blocking is always someone else, but not WFC.

Since WFC does not block or allow anything, the source of blocking is always someone else, but not WFC.

Click to expand...

right, but why would disabling WFC clear the block - this is why i thought i might be WFC & another app having a compatibility issue. I'm still not sure why this worked since it seems like it was all caused by MBAE

right, but why would disabling WFC clear the block - this is why i thought i might be WFC & another app having a compatibility issue. I'm still not sure why this worked since it seems like it was all caused by MBAE

Click to expand...

It was just a coincidence. The block was not made by WFC. Please check the user manual to find out how the notifications system works and how the connections are blocked in Windows Firewall. Best regards.

Now I get an error message when I go into Network "Network discovery is turned off". When I click turn on nothing happens. Same with the options in Control Panel>Network and Sharing Center>Advance sharing settings. Only when I turn off WFC does it remain on. As soon as I enable WFC (any Profiles) same problem. Tried restoring Windows Firewall default rules and WFC recommended rules with same results.

Obviously, all necessary Services are running as able to connect when WFC is Off.

Any help appreciated.

Thanks,
Robert

Win 10 Pro (clean install)

Alexandrud replied, "When you enable/disable some features from Windows (like Network Discovery, File and Printer Sharing), the operating system enables/disables some group names from the default set of rules. If you have removed these rules, then the operating system can't actually enable these functionalities because the rules from their corresponding groups are not there anymore. In this case, my recommendation is to reset your rules to the default set and start over with the removing carefully of the default rules."

Alexandrud, I have never disabled or removed any of WFC's or Windows default rules. Do you mean reset Windows Firewall with Advance Security to Default Rules and set WFC to just it's/your default rules and start all over again?

Now I get an error message when I go into Network "Network discovery is turned off". When I click turn on nothing happens. Same with the options in Control Panel>Network and Sharing Center>Advance sharing settings. Only when I turn off WFC does it remain on. As soon as I enable WFC (any Profiles) same problem. Tried restoring Windows Firewall default rules and WFC recommended rules with same results.

Obviously, all necessary Services are running as able to connect when WFC is Off.

Any help appreciated.

Thanks,
Robert

Win 10 Pro (clean install)

Alexandrud replied, "When you enable/disable some features from Windows (like Network Discovery, File and Printer Sharing), the operating system enables/disables some group names from the default set of rules. If you have removed these rules, then the operating system can't actually enable these functionalities because the rules from their corresponding groups are not there anymore. In this case, my recommendation is to reset your rules to the default set and start over with the removing carefully of the default rules."

Alexandrud, I have never disabled or removed any of WFC's or Windows default rules. Do you mean reset Windows Firewall with Advance Security to Default Rules and set WFC to just it's/your default rules and start all over again?

Robert

P.S. Why was I in Windows (10) Firewall topic? I deleted my posts.

Click to expand...

If you use Secure Rules, make sure that you add these default group names into the authorized groups list before enabling them from Advanced sharing settings.

On my system, pressing on the 1 does nothing, pressing on the 2 will create the green rules above. But, if I close the Advanced sharing settings window and reopen it, the 1 check box is again set to OFF. The same happens even if I disable Windows Firewall. It is probably a bug in Windows?

Change log:
- New: Added support to find duplicate rules in Rules Panel.
- Fixed: The application always uses the Calibri font family which for some users may not be the best font. If the user changes the default font from the Advanced Appearance Settings... dialog, WFC is still displayed with Calibri font. Now the WFC user interface reflects the system font.
- Fixed: Pressing multiple times on F1 key will open multiple times the user manual.
- Updated: Pressing the F1 key in the focused window will open the user manual to the corresponding topic instead of the main page.
- Updated: The user manual topics were extended.

Note that the installer size was increased because the .chm file is also packed into the installer.

- The search for duplicate rules is made on the following columns: Program, Location, Action, Direction, Local addresses, Local ports, Remote ports, Remote addresses, Protocol, Service, Edge traversal, ICMP settings, Interface types. The following columns are not taken into consideration during the search: Name, Group, Description, Enabled. The results contain only the rules for which at least two similar rules were found.

- I tried to group the duplicated rules results in a more user friendly way. Unfortunately, even if the user interface looked pretty good, the grouping on the data grid was very very slow and the entire experience was extremely poor. I will look for an alternative way in the future. Currently they are displayed by groups but the grouping has no visual expression.

Spanish manual user the latest version, does not start with F1 key or icon in WFC.Checked same file in version 4.8.3.0 and works well.

English user manual if it works in both versiones.¿Possible problem file size?

Spanish = 1.51 mb
English = 9.48 kb

regards

Click to expand...

The user manual is still under development and is still changing. Version 4.8.3.0 just launched an external process with the chm file, while version 4.8.4.0 is able to launch the help file inside WFC on specific topic depending on where the user presses F1 key. These topics have some IDs which were reassigned in the last version of the user manual. Because the user manual part is something new in WFC, these IDs will probably change again in the future until I have a definitive structure.

I couldn't turn on network discovery and advanced file sharing options, and luckily the above posts explained it. I have secure rules on; I had to reinstall and select "Import group names from current existing rules". When I uninstalled I selected "Restore to the state before installing this program". This is great.

While doing this, I thought it would be nice to actually see the list of group names from current existing rules. Maybe like the pic below. Thanks again for the wonderful WFC.

Attached Files:

I couldn't turn on network discovery and advanced file sharing options, and luckily the above posts explained it. I have secure rules on; I had to reinstall and select "Import group names from current existing rules". When I uninstalled I selected "Restore to the state before installing this program". This is great.

While doing this, I thought it would be nice to actually see the list of group names from current existing rules. Maybe like the pic below. Thanks again for the wonderful WFC.

Click to expand...

This approach uses too much space and does not have a way to enter something new. You can add only the existing entries. I guess this will remain as it is now.

Meanwhile I managed to define a visual style to group the duplicate rules and the results looks like this. This works pretty fast and will be included in the next version.

Alexandrud, how exactly does this Secure rules work. The help file is not very informative to me. If I select it and highlight WFC only the rules in current WFC group are imported and Secured and all the rest are either deleted or disabled correct? How does one create a Group with ALL the current rules secured? Your not saying that I have to go to All Rules and No Filter and manually Add to Group>WFC? Not sure how Secure rules work.